Generate iOS signing certificate and provisioning profile Learn how to generate the signing certificate and mobile provisioning profile files used for signing your iOS app. A signing certificate (.p12 file) is a digital identity used for code signing during the build and archive process. A provisioning profile (.mobileprovision file) authorizes your app to use certain app services and ensures that you’re a known developer developing, uploading, or distributing your app. For more information, see Apple’s What is app signing?. You can use any macOS machine, including the Mac mini host, to generate signing certificates and provisioning profiles. If you have multiple Mac mini hosts, it is recommended to generate all the certificates and provisioning profiles for them on only 1 or 2 machines for better management. Before you start Enroll into either the Apple Developer or Apple Developer Enterprise Program. Ensure that the enrolled account has 1 available Apple Development or iOS App Development certificate slot, as the total number of slots are limited. See this article for more details. Only Apple Development or iOS App Development certificate can be used. Apple Distribution or iOS Distribution certificate cannot be used. Generate a signing certificate Create a certificate signing request On any macOS machine, launch Keychain Access. From the Keychain Access menu, choose Certificate Assistant, then select Request a Certificate From a Certificate Authority. Input the Email Address and Common Name, but leave CA Email Address blank. Then choose Saved to disk and select Continue. Select Save to download your .certSigningRequest file. You can rename the signing request. When the signing request is created, the system creates a public and private key (the key pair) under the login keychain. The name of the key pair is the same as the value you provided under Common Name when creating the signing request. This key pair can be viewed from the Keys tab of the Login keychain: The generated key pair must not be removed from the keychain, as the signing request (and the subsequent signing certificate) cannot be used without the key pair. Submit the signing request to generate a .cer file These steps should be done using the same machine that you created the signing request on. Log into Apple Developer. Under Certificate, IDs & Profiles, select Certificates. Select the plus icon to create a new certificate. Choose Apple Development or iOS App Development, then select Continue. Select Choose File, choose the .certSigningRequest file you generated, then select Continue. Select Download to save the development.cer file to the local machine. Generate .p12 file These steps must be done on the same machine you created the certificate signing request on. On the macOS device, launch Keychain Access. Select the login keychain, select Certificates, then drag and drop the development.cer file into the Certificates page. Make sure the login keychain is highlighted before you drag and drop the file into Certificates. If another keychain is highlighted instead, such as System, you cannot export the .p12 file. Confirm that after dropping the .cer file into the login keychain, you can expand the cert to view the private key associated with it: If you cannot expand the imported certificate to view the private key, double-check that all the below has been followed: You are importing the .cer file to the keychain of the same machine you generated the certificate signing request on. You are importing the .cer file to the login keychain, not the System keychain. You did not delete the public and private key pair generated by the system after creating the certificate signing request. Select both the recently imported certificate and its private key, then select Export 2 items. Choose the Personal Information Exchange (.p12) file format, then select Save. Enter a password to protect the certificate and select OK. Note down the password as you need to enter it when importing the file to another machine. If you don’t want to enter a password, leave the field blank. Not entering a password for the .p12 file will require the use of Terminal commands to import it to the keychain of another machine. If you are not familiar with the Terminal, it is recommended to enter a password. Input the macOS administrator password to export the .p12 certificate file. Store this file in a safe location. Move the file to the Mac mini host(s) to import it later. Generate a provisioning profile If you have created a provisioning profile that followed the steps in this section, it is not necessary to create a new one for a new signing certificate or adding new UDIDs. Edit a provisioning profile instead. Create an identifier Skip this step if you have created an identifier before. At the Apple Developer resources page, select Identifiers. Select the plus icon to create a new identifier. Choose App IDs, then select Continue. Select App as type, then Continue. Add a description for the app ID. For Bundle ID, choose Wildcard. Input the appropriate Bundle ID into the box according to the use cases below: If you do not use Kobiton re-signing service, input com.mobilelabsinc.*. If you use Kobiton re-signing service and want to install any app, input com.*. If you are unsure, input com.* as it will work in most cases. When you’re finished, select Continue. Review the information, then select Register to create the identifier. Register device UDID Skip this step if you have registered the UDID before. Note down the UDID of all iOS/iPadOS devices you want to host. At the Apple Developer resources page, select Devices. Choose the plus icon to register new devices. Choose iOS, iPadOS, tvOS, watchOS, visionOS for Platform, then enter the device name and UDID to add a single device. Alternatively, select Download sample files and follow the official instructions to register multiple devices, then upload the file by selecting Choose File. Select Continue when you are finished. Review the information and select Register. Generate .mobileprovision file At the Apple Developer resources page, select Profiles. Choose the plus icon to create a new profile. Select iOS App Development under Development, then Continue. Choose the app ID you created earlier from the dropdown list, then Continue. Choose the certificate you created earlier, then Continue. Choose the devices you registered earlier, then Continue. Input the Provisioning Profile Name, review the information, then select Generate. Select Download to save the .mobileprovision file. Move the file to the Mac mini host(s) for importing to deviceConnect and deviceShare later. Edit a provisioning profile Follow this section to edit an existing provisioning profile to add new certificates or device UDIDs. You can edit an expired provisioning profile. A new expiry date will be set when saving the changes. After saving the changes, you must download the edited provisioning profile and import it again to the Mac mini host(s). At the Apple Developer resources page, select Profiles. Select any profile to open it. In the Review Provisioning Profile page, select Edit. The Generate a Provisioning Profile page displays with all the information of the selected provisioning profile: On the above page, you can edit the following Name of the profile. The App ID to use. The signing certificate(s) that are associated with the provisioning profile. The device(s) that are provisioned with the provisioning profile. After making all the changes, select Save. You can then Download the updated provisioning profile, then move the file to the Mac mini host(s) for importing to deviceConnect and deviceShare later.